Hackers find vulnerability to revive suspended Twitter accounts

A group of hackers claims to have found a way to seize inactive and suspended Twitter accounts, and is now selling them on the social network.

“Spain Squad” gained control of a number of accounts they allege were obtained with the exploit, including @Hell, @Hitler, @Nazi, @ak47, and @1337.

Worryingly, the Internet Archive shows that several of the handles held by Spain Squad were previously suspended — including @Hitler, @Hell, and @LizardSquad, an account previously owned by the notorious hacking group of the same name.

Others, like @AK47, @megaupload, and @1337 have been long inactive — but when they were inactive, had no apparent links to hacking groups. (Old tweets have since been deleted.)

Twitter declined to comment, but has since (re)suspended all the accounts apparently obtained using the vulnerability. It’s not clear whether the social network was aware of the vulnerability before Business Insider reached out for comment.

Once an account has been suspended by Twitter for rules violations (such as harassment or spam), there is not normally any way to create a new account with the same username — it is permanently unavailable. As such, the fact that hackers found a way to resurrect suspended accounts could have had worrying implications.

Similarly, accounts are not normally deleted for inactivity, so if someone chooses to abandon their account, their username should be permanently unavailable to others (unless Twitter chooses to delete an account to free it up).

It’s not clear how Spain Squad has been doing this: Unlike previous exploits that have been used to steal Twitter accounts, it looks like no one outside of Spain Squad knows the secret to the alleged exploit — and the group capitalised on this to try and sell the valuable accounts.

It could be a vulnerability in Twitter’s software, a compromised staff account, or some other explanation. It’s also unclear whether the exploit is still active, or was patched concurrently with the banning of the hijacked accounts.

@Ziter, a Twitter user that identifies themselves as part of Spain Squad, trying to sell accounts, and referenced in the bios of some of the stolen accounts.

@megaupload was being advertised for sale to Kim Dotcom, a famous internet entrepreneur who once had a business with the same name.

What’s the appeal of these accounts? Short, interesting, or “cool” handles for Twitter (and other social networks platforms) can be a kind of status symbol for some in hacker-y circles. People are even willing to pay money for them, so there’s a minor underground market in jacking “OG” handles and selling them on. (Brian Krebs, an independent security journalist, wrote a good piece on the phenomenon back in November 2015.)

A Spain Squad member called Akma, speaking via the @LizardSquad Twitter account prior to its re-suspension, told Business Insider that “we don’t want to talk about our exploit … we don’t want get patched soon.”

But they did provide more detail about the apparent exploit, claiming that they “can get any [account] if he has an activity on his account for more than 6 months … we can suspend Twitter … and we can unsuspended Twitter … [and] swap @ to other @user.”

Business Insider has not seen any evidence that the “exploit” can be used to suspend accounts, or it can switch handles between accounts like Akma claims — though Akma does threaten to do this to another hacking group on Twitter.